[Samba] Samba 3.2.4 not locking accounts?
David Markey
dmarkey at comp.dit.ie
Wed Nov 5 17:01:15 GMT 2008
https://bugzilla.samba.org/show_bug.cgi?id=5825
I raised this bug a while ago experiencing what you are.Nobody seems to
have done much about it.
Victor Medina wrote:
> Hello guys!
>
> I'm using samba 3.2.4 (binaries from samba.org) on SLES9+sp3.
>
> I am building a PDC with LDAP support (i am attaching my config files),
> I'm also using ldapsam:trusted and ldapsam:editposix.
>
> Although I am setting the account lock after 3 failed tries in usrmgr,
> and verified that the parameters are actually set in the LDAP, no
> locking occurs.
>
> I started thinking that it was my fault, since i generate my own ldif
> from a small app i created that reads a Windows AD and creates/fills an
> OpenLDAP with the relevant info that Linux (posix account information)
> and Samba needs, just like my "own" "net vampire", just that mine reads
> a native AD and migrates to Samba, it just defaults passwords to 1-8.
>
> cool! eh? ;)
>
> Since everything seems to worked OK except for the account locking, i
> rebuild the server from scratch using "net sam provision" and created
> and extra account, joined a machine, but stills it seems account locking
> is not working on samba 3.2.4.
>
> any ideas/suggestions are welcome?
>
> Victor Medina
>
>
>
> **************
> Some relevant steps i did to set it up
> **************
>
>
> smbpasswd -w 12345678
> net idmap secret DEFAULT 12345678
> net idmap secret alloc 12345678
> rcwinbind restart
> net sam provision
> smbpasswd administrator
> net rpc rights grant "c1.ve\administrator" SeMachineAccountPrivilege
> SePrintOperatorPrivilege SeAddUsersPrivilege SeRemoteShutdownPrivilege
> SeDiskOperatorPrivilege SeTakeOwnershipPrivilege -U administrator
>
> rcsmb start && rcnmb start && rcwinbind start
>
>
>
>
> ***********************************
> SMB.conf (global)
> ***********************************
>
> [global]
> workgroup = C1.VE
> netbios name = PDC-EPA1
> security = user
> guest account = Invitado
> map to guest = Bad User
> enable privileges = yes
> server string =
> time server = yes
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> domain logons = yes
> domain master = yes
> os level = 65
> preferred master = yes
> wins support = yes
> deadtime = 20
> dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
> encrypt passwords = yes
> passdb backend = ldapsam:ldap://127.0.0.1
> ldap admin dn = cn=Administrador,dc=xxxx
> ldap suffix = dc=c1,c=ve,dc=xxx
> ldap user suffix = ou=people
> ldap group suffix = ou=group
> ldap machine suffix = ou=people
> ldap delete dn = yes
> ldap passwd sync = yes
>
>
> ldapsam:trusted = yes
> ldapsam:editposix = yes
>
> idmap domains = DEFAULT
> idmap config DEFAULT:backend = ldap
> idmap config DEFAULT:readonly = no
> idmap config DEFAULT:default = yes
> idmap config DEFAULT:ldap_base_dn = ou=idmap,dc=c1,c=ve,dc=xxx
> idmap config DEFAULT:ldap_user_dn = cn=Administrador,dc=xxx
> idmap config DEFAULT:ldap_url = ldap://127.0.0.1
> idmap config DEFAULT:range = 10000-100000
>
> idmap alloc backend = ldap
> idmap alloc config:ldap_base_dn = ou=idmap,dc=c1,c=ve,dc=xxx
> idmap alloc config:ldap_user_dn = cn=Administrador,dc=xxx
> idmap alloc config:ldap_url = ldap://127.0.0.1
> idmap alloc config:range = 10000-100000
>
>
>
>
> printing = cups
> printcap name = cups
> show add printer wizard = yes
> load printers = yes
>
>
> create mask = 0640
> directory mask = 0750
> force create mode = 0640
> force directory mode = 0750
> preserve case = yes
> short preserve case = yes
> case sensitive = no
> mangling method = hash2
> Dos charset = 850
> Unix charset = ISO8859-1
> nt acl support = yes
>
>
>
>
>
>
> ***********************
> slapd.conf
> ***********************
>
> modulepath /usr/lib/openldap/modules
> include /etc/openldap/schema/core.schema
> include /etc/openldap/schema/cosine.schema
> include /etc/openldap/schema/inetorgperson.schema
> include /etc/openldap/schema/nis.schema
> include /etc/openldap/schema/samba3.schema
>
> pidfile /var/run/slapd/slapd.pid
> argsfile /var/run/slapd/slapd.args
>
> access to dn.base=""
> by * read
>
> access to dn.base="cn=Subschema"
> by * read
>
> access to attrs=userPassword,userPKCS12
> by self write
> by * auth
>
> access to attrs=shadowLastChange
> by self write
> by * read
>
> access to *
> by * read
>
> loglevel -1
>
> database bdb
> suffix "dc=xxx"
> rootdn "cn=Administrador,dc=xxx"
> rootpw "{SSHA}xxx"
> directory /var/lib/ldap/
>
> checkpoint 1024 5
> cachesize 10000
>
>
> index objectClass,uidNumber,gidNumber,memberUid eq
> index member,mail eq,pres
> index cn,displayname,uid,sn,givenname sub,eq,pres
> index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq
> index default sub
>
>
>
>
>
> *****************************
> LDIF:
> *****************************
> # This file was generated on 2008-11-05 at 11:20:00
> # from the ldap://172.16.152.200:389 (bound as
> cn=Administrador,dc=xxxx)
> # by Softerra LDAP Administrator v3
> [ http://www.ldapadministrator.com ]
> dn: c=ve,dc=xxxx
> c: ve
> objectClass: top
> objectClass: country
> description: Infraestructura Tecnologica - Venezuela
>
> dn: dc=c1,c=ve,dc=xxxx
> dc: c1
> objectClass: dcObject
> objectClass: organizationalUnit
> ou: Tienda 1 / Oficina Central xxxx / Venezuela
> description: xxxx / Oficina Central EPA / Venezuela
>
> dn: ou=people,dc=c1,c=ve,dc=xxxx
> objectClass: top
> objectClass: organizationalUnit
> ou: people
>
> dn: ou=group,dc=c1,c=ve,dc=xxxx
> objectClass: top
> objectClass: organizationalUnit
> ou: group
>
> dn: ou=idmap,dc=c1,c=ve,dc=xxxx
> objectClass: top
> objectClass: organizationalUnit
> objectClass: sambaUnixIdPool
> ou: idmap
> gidNumber: 10016
> uidNumber: 10004
>
> dn: sambaDomainName=C1.VE,dc=c1,c=ve,dc=xxxx
> sambaDomainName: C1.VE
> sambaSID: S-1-5-21-1230964018-1252349843-1944742870
> sambaAlgorithmicRidBase: 1000
> objectClass: sambaDomain
> sambaNextUserRid: 1000
> sambaRefuseMachinePwdChange: 0
> sambaNextRid: 1002
> sambaLockoutDuration: -1
> sambaLockoutObservationWindow: 30
> sambaLockoutThreshold: 3
> sambaMinPwdLength: 5
> sambaPwdHistoryLength: 5
> sambaLogonToChgPwd: 0
> sambaMaxPwdAge: 7776000
> sambaMinPwdAge: 0
> sambaForceLogoff: -1
>
> dn: cn=domusers,ou=group,dc=c1,c=ve,dc=xxxx
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> cn: domusers
> displayName: Domain Users
> gidNumber: 10000
> sambaSID: S-1-5-21-1230964018-1252349843-1944742870-513
> sambaGroupType: 2
>
> dn: cn=domadmins,ou=group,dc=c1,c=ve,dc=xxxx
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> cn: domadmins
> displayName: Domain Admins
> gidNumber: 10001
> sambaSID: S-1-5-21-1230964018-1252349843-1944742870-512
> sambaGroupType: 2
>
> dn: uid=Administrator,ou=people,dc=c1,c=ve,dc=xxxx
> objectClass: account
> objectClass: posixAccount
> objectClass: sambaSamAccount
> uid: Administrator
> cn: Administrator
> displayName: Administrator
> uidNumber: 10000
> gidNumber: 10001
> homeDirectory: /home/C1.VE/Administrator
> loginShell: /bin/false
> sambaSID: S-1-5-21-1230964018-1252349843-1944742870-500
> sambaNTPassword: 259745CB123A52AA2E693AAACCA2DB52
> sambaPasswordHistory:
> 0000000000000000000000000000000000000000000000000000000000000000
> sambaPwdLastSet: 1225815211
> sambaAcctFlags: [U ]
> userPassword: {SSHA}YP8U0rTihCaNlp83JlS+ZWJv4jyEFhH8
> sambaProfilePath::
> IA==
>
> dn: uid=Invitado,ou=people,dc=c1,c=ve,dc=xxxx
> objectClass: account
> objectClass: posixAccount
> objectClass: sambaSamAccount
> uid: Invitado
> cn: Invitado
> displayName: Invitado
> uidNumber: 10001
> gidNumber: 10000
> homeDirectory: /
> loginShell: /bin/false
> sambaSID: S-1-5-21-1230964018-1252349843-1944742870-501
> sambaAcctFlags: [DU ]
>
> dn: sambaSID=S-1-5-32-544,ou=group,dc=c1,c=ve,dc=xxxx
> objectClass: sambaSidEntry
> objectClass: sambaGroupMapping
> sambaSID: S-1-5-32-544
> sambaGroupType: 4
> displayName: Administrators
> gidNumber: 10002
> sambaSIDList: S-1-5-21-1230964018-1252349843-1944742870-512
>
> dn: sambaSID=S-1-5-32-545,ou=group,dc=c1,c=ve,dc=xxxx
> objectClass: sambaSidEntry
> objectClass: sambaGroupMapping
> sambaSID: S-1-5-32-545
> sambaGroupType: 4
> displayName: Users
> gidNumber: 10003
> sambaSIDList: S-1-5-21-1230964018-1252349843-1944742870-513
>
> dn: uid=FERRETER-PRUQ3Z$,ou=people,dc=c1,c=ve,dc=xxxx
> uid: FERRETER-PRUQ3Z$
> sambaSID: S-1-5-21-1230964018-1252349843-1944742870-1001
> sambaAcctFlags: [W ]
> objectClass: sambaSamAccount
> objectClass: account
> objectClass: posixAccount
> cn: FERRETER-PRUQ3Z$
> uidNumber: 10002
> gidNumber: 10000
> homeDirectory: /home/C1.VE/SMB_workstations_home
> loginShell: /bin/false
> sambaNTPassword: B055ADEFB17BCC6E6FAC8D1AC4A74DF9
> sambaPwdLastSet: 1225815330
>
> dn: uid=test001,ou=people,dc=c1,c=ve,dc=xxxx
> uid: test001
> sambaSID: S-1-5-21-1230964018-1252349843-1944742870-1002
> objectClass: sambaSamAccount
> objectClass: account
> objectClass: posixAccount
> cn: test001
> uidNumber: 10003
> gidNumber: 10000
> homeDirectory: /home/C1.VE/test001
> loginShell: /bin/false
> sambaKickoffTime: 0
> sambaNTPassword: AD396BEB5A4668D740B3A9ADC48655A8
> sambaPasswordHistory:
> B2AA5A8D71A95E53A0B4F943CDF222B2F54631924E73FE70C98B6731A1656B04000000000000
>
> 0000000000000000000000000000000000000000000000000000000000000000000000000000
>
> 0000000000000000000000000000000000000000000000000000000000000000000000000000
>
> 0000000000000000000000000000000000000000000000000000000000000000000000000000
> 0000000000000000
> sambaPwdLastSet: 1225815887
> userPassword: {SSHA}nRA+2FYkZPXKBN1wri6HBcuTk2ZA6zqP
> sambaProfilePath::
> IA==
> sambaAcctFlags: [U ]
> sambaBadPasswordTime: 0
> sambaBadPasswordCount: 0
>
>
>
>
>
More information about the samba
mailing list